Re: Compiling in SELinux in the default kernels
On Fri, 5 Nov 2004 15:02:04 +0100, Martin Pitt <mpitt@debian.org> said:
> Hi! Manoj Srivastava [2004-11-05 1:39 -0600]:
>> I would once again like to bring up the possibility of compiling in
>> support for SELinux in 2.6.9+ kernels, but leaving them disabled by
>> default at boot time. [...] I think this would be really helpful
>> to our users, since then they can chose to try out SELinux by just
>> adding a stanza to grub or lilo -- try things out in non-enforcing
>> mode, for instance.
> I fully support this, however, SELinux seems to be a quite intrusive
> story. As opposed to grsecurity/LIDS/RSBAC/etc. I think it needs a
> bunch of patched system packages to work properly.
That is correct, and that is being worked upon.
> I did not thoroughly check this recently, but I don't think that all
> patches went in the default distribution already. Just look at
>> 227972, an outstanding RC bug with no reply, open for nearly 300
>> days now.
While it is true that selinux-policy-default is uninstallable
in Sid, and it is not likely to be working in Sarge, the idea is to
get the patches into core packages (coreutils, procps, etc) so that
selinux-policy-default would actually work. Currently, there is an
aptable repository od SELinux packages on
deb http://www.coker.com.au/newselinux/ ./
which is needed to get things working (and that does have the new pam
stuff).
> So in addition to providing kernel support, it would be great to
> also ship the necessary user space stuff in Debian proper. Then we
> could label ourselves as "SELinux support out of the box", which
> would be really a good asset. :-)
I think most people are in agreement on this score.
manoj
--
Even a stopped clock is right twice a day. --anonymous
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: